Why is security essential with the IoT?
The purpose of this ReadyForIT round table was to discuss the importance of security in deploying the IoT regardless of a special sector. The speakers focussed on construction, e-health and automobile.
How important is the IoT in different sectors?
Whether in the construction, health or automobile industry, data is a hot topic influenced by the growth of the IoT in business.
Just over a year ago, Bouygues launched an entrepreneurship program to encourage new ideas. Omniscient was the result, a company born around an idea based on the IoT and data: this start-up has already helped equip several construction sites.
It uses geo-location data to improve safety and efficiency on construction sites. The main goal is to create data in a sector like construction where data don’t really exist. Based on these data, the company wondered what services they could provide to users to allow them to adopt their own projects.
In the automotive industry
Connected vehicles are a major challenge for the car industry. Delphi divides the IoT into three categories:
- Objects managed by the ISD, like any run-of-the-mill terminal or sensor
- The IoT managed by departments other than ISD: production and connected industrial objects
- The rest, which are not managed by the company and remain unknown. This is a sort of nebulous entity for the group, whose impact is difficult to avoid if a vulnerability is exploited.
Delphi’s industrial sector is an ecosystem in which Delphi is not actually responsible for data. The company provides objects, but once they are installed in vehicles, the manufacturer becomes responsible for the data that are generated. Delphi limits part of the risk by establishing controls in a classic security management approach.
The Servier group operates in an area where it helps develop health IoT. So, security is important, especially for how sensors are managed. As in the automotive sector, once the tool has been developed, it is put in the hands of end users, i.e. patients, over whom no one has any real control other than the patients themselves.
So, total control no longer exists once the end user has the connected object. The company is faced with the problem of how to manage updates if a security flaw is detected.
What’s more, the device is “multiplied” in the field of e-health, which is one of its unique characteristics; there is no single connected object, but a healthcare object connected to a mobile application that controls it, a Wi-Fi interface, a website, and even the physician’s devices. This series of objects multiplies risk, because the entire chain has to be managed, from end to end.
What are the specifics of security for connected objects?
There are two aspects of security in the IoT, i.e. security applied to the object itself, and the IoT serving user security. In construction, connected objects are used to guarantee safety, the IoT offers for example additional safety on construction sites.
Furthermore, when integrating the concepts of personal data and data monitoring in projects, a different approach shouldn’t be created for connected objects. The advantages offered by the data that could potentially be personal have to be identified. Any data that simply contain information for the correct operation of the business, without being vital, are discarded.
These objects are just a means of collection and data are not stored in them. Instead, they generate data that are sent to an information system where they are stored.
In the medical industry, there are everyday objects posing the same problems that are placed in the hands of patients. Here, the security measures change, notably because everything is now contextualized with the GDPR. There are now more elements to be checked, and professionals are not able to go as far as they would like in terms of testing and analysis.
What about personal data?
When it comes to personal data, it is important right from the outset to determine which data are to be used. In all cases, data become personal when they are connected to the owner of the object. The recorder itself is of no use if no one knows who it belongs to.
Personal data and automobiles
Today’s information systems are very complex. Fabrice Delouche explains: “The ISD can’t control everything. I think it would be a waste of time to try to control all connected objects.” So, it’s important to find in-house allies.
Delphi’s ISD has partnered with the company’s business teams to better control and manage risk. This level of trust between business and DSI is logical, but depends on sharing, understanding and human relations: “The ISD must not assume the risk of objects it doesn’t control.”
Personal data and construction
In construction, the IoT on construction sites has to start with a blank slate in order to make the equipment safe and raise employee awareness. Because all industrial sectors have already worked extensively on the topic, Omniscient was able to simply use what had been tested in other industries.
There is not many risky data which is reconciled with geo-location data as late as possible in the process. This also ensures that data are linked to a person very late, i.e. just before the information is delivered to the user, or even never, if it is decided that the user doesn’t need the information. This is one way of avoiding risk: anyone can attack, but the company is in no danger from a personal data standpoint.
Data protection and updates in e-health
Hervé Fortin believes there are two focusses of transparency in terms of personal data. On the one hand, having personal data isn’t negative, or “dirty”. It is however important to explain what these data will be used for. The CNIL’s analysis laboratory has published practical guides on how to analyse data exchange chains for the IoT, in order to limit security errors.
In any case, updates are essential in the world of the IoT, otherwise, project start-up is subject to risks. Servier has chosen to position itself as a sub-contractor rather than a distributor of medical devices. It doesn’t process data itself but offers a guarantee of security with respect to the solution’s publisher, and the hosting companies, and the entire subcontracting chain.
Defining who does what, from the manufacturer to the distributer and the device’s user, is a subject of major importance right from day one.
Speakers: Nicolas Lemaire, Omniscient; Hervé Fortin, Groupe Servier and Fabrice Delouche, Delphi